Sub-processors
Who else touches your data
Last updated: May 2026
Penroll runs on a small, deliberately-chosen set of vendors — most of them with their own EU data residency. We give 14 days’ notice before adding a new sub-processor (see section 4 of the DPA).
| Vendor | Purpose | Data exposed | Location |
|---|---|---|---|
| Supabase (Powerbase, Inc.) ↗ | Primary database, authentication, object storage for CVs and offer letters. | All customer + candidate data | EU (Frankfurt) — Customer data only |
| Vercel ↗ | Application hosting, edge functions, serverless API routes. | Request metadata, no customer data at rest | Global edge / EU regions for compute |
| Anthropic ↗ | AI inference for job-description generation, CV ranking, screening questions, and offer letters. | Prompt content (role specs, CV text, offer details) — model providers do not retain inputs for training under our agreement | US — covered by SCCs and prompt-redaction safeguards |
| Stripe ↗ | Subscription billing, top-up credits, invoicing. | Customer name, email, billing address, payment method (Stripe holds card data, not Penroll) | EU + US — SCC + Stripe DPA in place |
| Resend ↗ | Transactional email delivery (interview invites, rejections, offer letters, account emails). | Recipient email, subject, body | US — SCC in place |
| Cloudflare ↗ | DDoS protection, WAF, bot management, TLS termination for penroll.app. | IP addresses, request headers; no body inspection on encrypted traffic | Global edge |
| Cal.com ↗ | Customer-facing demo booking page only (cal.com/arnas-uzdila-uy3za5). Not part of the in-product interview flow. | Visitor name, email, calendar slot | EU (Frankfurt) for EU-hosted plan |
Object to a new sub-processor
Scale and Enterprise customers can object to a newly-added sub-processor during the 14-day notice period. Email privacy@penroll.app with the objection and we’ll work in good faith to find an acceptable alternative.